If you spend enough time perusing the Internet for helpful information on how to build a botnet or hack an online game, you’ll inevitably end up on a discussion board site filled with posts from various hackers eager to share that knowledge and build up their street cred. But even if you use Tor to explore the “dark Web” for such boards, you’ll never reach the 1337est board of them all—the discussion board hosted on the National Security Agency’s NSAnet.

The latest data dump from the archive of NSA webpages leaked by Edward Snowden contains a sampling of posts from the NSA’s internal hacker board by one author in particular—an NSA employee that The Intercept’s Ryan Gallagher and Peter Mass claim is the person who wrote presentations on attacking the Tor network. In one of his posts, the author outlines approaches to gaining access to networks used by individuals targeted for surveillance.

That post, entitled, “I hunt sysadmins,” provides a primer for NSA cyber-warriors to identify and target system administrators of networks to exploit their access privileges for the purposes of surveilling or attacking a target that is connected to them. The two-part post and others published by The Intercept show the extent of the NSA’s ability to target and exploit networks worldwide using the automated hacking tools at the agency’s disposal. But the new data also shows how similar the approaches of the NSA’s cyber-operators are to those used by “black hat” hackers and criminal hacking rings, and it offers some hints about the NSA’s internal “hacker” culture.

The power of awesome

The “I hunt sysadmins” post was part of a series of helpful hints written by the unnamed author in response to what he saw as opportunities to exploit the NSA’s massive troves of data for more creative approaches to gathering intelligence. “Our ability to pull bits out of random places of the Internet, bring them back to the mother-base and evaluate and build intelligence off of [it] is just plain awesome!” he wrote in an introductory post. “One of the coolest things about it is how much data we have at our fingertips… If we only collected the data we knew we wanted…yeah, we’d fill some of our requirements, but this is a whole world of possibilities we’d be missing!"

"Up front, sys admins are generally not my end target,” the author continued. “My end target is the extremist/terrorist or government official that happens to be using the network some sys admin takes care of.” But sysadmins hold the keys to getting at the targets; by gaining administrative access to network or telecommunications infrastructure, an NSA operator or analyst could get a wealth of additional detail about both its inner workings and the activities of specific individuals.

The author listed the details available:

Topology of the network we are targeting

Credentials for infrastructure devices

Situational knowledge, such as access lists set up to only allow specific IP addresses to administer certain machines

An overall knowledge of how the network is put together and configured

Further Reading

This sort of strategy explains why sysadmins at otherwise "friendly" telecommunications networks—like the engineers at Belgacom who were hacked by the GCHQ—find themselves targeted. The attacks on Belgacom were likely a step toward collecting intelligence on a specific individual believed to be in Belgium by tapping into the provider's network infrastructure, allowing the GCHQ to gain access to SMS messages and other data directly from the network and determine exactly which tower the target's phone was talking to when they were sent.

The series of "I hunt" posts provides a primer on how NSA operators can use the broad passive collection capabilities of Turmoil and XKeyscore to identify and target system administrators in order to improve computer network exploitation (CNE) efforts. It’s possible to occasionally get lucky and identify a sysadmin for a network by using “Google-fu” to search for things like forum posts that use both the administrator’s official and personal e-mail addresses in a signature or to look for information within other data captured from the targeted network that might identify a sysadmin. But there are more scientific approaches to finding out who has the keys to a particular network kingdom.

Using analysis of secure shell (SSH) traffic, for example, operators can identify the IP addresses associated with administrators based on the volume of data going back to the client from the server or router.

As the author explained:

Based purely off of:

From port 22

Session size is greater than 1500 bytes

then I can infer that:

To IP= admin

From IP = server/router

The admin appears to have successful access to the server.

Administrators' IP addresses can also be discovered by using an “awesome” NSA tool called Discoroute, which the author of the post said is “designed to suck up and database router configuration files seen in passively collected telnet sessions.”

Discoroute can also be used to discover which IP addresses can access the router via telnet. And if the contents of telnet sessions are in the clear, they can often be used to expose router passwords, even if they’re hashed. The author said that Cisco’s “password 7” hashing is “ROFL-easy to crack. You can Google ‘cisco password 7 cracker’ and get web pages that allow you to copy the password 7 hash, and it’ll break it for free…anyone can figure out the password for this router.”

All of this data can be searched for within the NSA’s collection of passive data. Once an administrator is identified, the author suggested, his or her Web e-mail accounts or Facebook account can be targeted using a Quantum attack, by using the NSA’s man-in-the-middle capability to insert malware into Web sessions and give the agency’s operators access to the administrator’s personal system.

119 Reader Comments

People are using encrypted telnet in 2014? This would have been unthinkable to me years ago but now...

The big thing this story brings to light is the level of competence the NSA is bringing to this. The old hacker assumption that the government is a bunch of old-technology Luddites is one that needs to go away quick.

What bothers me is the implication for average users. Sure, I can roll a hardened linux from scratch with SELinux, build and setup all the not so run-of-the-mill security packages, change the normal ssl tty ports, boot from a read-only volume, and run a log on the external face of the NAT, etc.

But the folks who picked up a router from Micro-center? They don't stand a chance... And learning the necessary skills involve a significantly steep curve.

What's missing in this reveal is what country the targets are in. If it's outside the USA, it's legal by USA laws. They would not be flouting laws.

THey've already said that if one end of the connection is in the US and the other overseas,the Us end comes under suspicion Considering how 60 to 90 % of the Internet's service providers are in the US how many sysadmins getting hacked are non-US? And once they have the sysadmins credentials your's are next on the list.

You'r credentials will get sweeped up as metadata "just in case they need them later"

It's nice to know that I am a target, before I was just in the same dragnet as the rest of the unwashed masses. Now I am special.

Heck yes you are a target. I'm a sysadmin. I just got an "e-fax message" with our company name and my name in the headers. Attached was fax235245.zip. With a .SCR file in it. The SCR is of course screensaver which is a Win32 executable.

Someone else here, very high up, also got a similar message and opened it. I saw traffic on funny UDP ports from his PC to about a dozen different IPs in Russia. Helpdesk is in his office right now.

It's nice to know that I am a target, before I was just in the same dragnet as the rest of the unwashed masses. Now I am special.

Heck yes you are a target. I'm a sysadmin. I just got an "e-fax message" with our company name and my name in the headers. Attached was fax235245.zip. With a .SCR file in it. The SCR is of course screensaver which is a Win32 executable.

Someone else here, very high up, also got a similar message and opened it. I saw traffic on funny UDP ports from his PC to about a dozen different IPs in Russia. Helpdesk is in his office right now.

He needs to be told if he does it again he gets to pay to fix it. Submit a bill to the CFO that gets the point across real fast.

And people wonder why I keep security on my home network and systems to a crazy level.......

Things have certainly changed.

Those we used to call paranoid tinfoil hats have been proven right. Snowden says the biggest things are yet to come. I honestly cannot imagine what could be bigger than what's already out there. Although a lot of the info is from 2010 and before, so 4 years old now. A lot can happen in that timespan.

If you spend enough time perusing the Internet for helpful information on how to build a botnet or hack an online game, you’ll inevitably end up on a discussion board site filled with posts from various hackers eager to share that knowledge and build up their street cred. But even if you use Tor to explore the “dark Web” for such boards, you’ll never reach the 1337est board of them all—the discussion board hosted on the National Security Agency’s NSAnet.

It's nice to know that I am a target, before I was just in the same dragnet as the rest of the unwashed masses. Now I am special.

Heck yes you are a target. I'm a sysadmin. I just got an "e-fax message" with our company name and my name in the headers. Attached was fax235245.zip. With a .SCR file in it. The SCR is of course screensaver which is a Win32 executable.

Someone else here, very high up, also got a similar message and opened it. I saw traffic on funny UDP ports from his PC to about a dozen different IPs in Russia. Helpdesk is in his office right now.

If the NSA hacked you you wouldn't even know

The really funny thing is that all this time we've been thinking we are defending our systems from the Russian Hacker Mafia. We didn't know that these guys are amateurs; they're the least of our troubles. They're the idiots.

The NSA isn't going to bother with this stuff. They will hijack your browser session to arstechnica, they will deliver you a payload of zero day exploit for your specific browser along with the website, it will install a hypervisor based trojan you can't detect with normal windows tools, and they will own you. They don't even need to put their best people on it - all this stuff is automated, there's a full tool cain for it, all they need is an operator hitting the button after they identified your IP.

If you spend enough time perusing the Internet for helpful information on how to build a botnet or hack an online game, you’ll inevitably end up on a discussion board site filled with posts from various hackers eager to share that knowledge and build up their street cred. But even if you use Tor to explore the “dark Web” for such boards, you’ll never reach the 1337est board of them all—the discussion board hosted on the National Security Agency’s NSAnet.

I know that. Where did I say I got hacked by NSA. We are a small defense contractor. If they wanted something from us they could just ASK and we'd probably give it to them.

This is Russian mafia from the looks of it. Semi random attack. Fax for %first name %last name company %company_name Still we appear to be important enough to gather that info in the first place and then blast it out to two people who could do most damage if their PCs are infected.

What bothers me is the implication for average users. Sure, I can roll a hardened linux from scratch with SELinux, build and setup all the not so run-of-the-mill security packages, change the normal ssl tty ports, boot from a read-only volume, and run a log on the external face of the NAT, etc.

But the folks who picked up a router from Micro-center? They don't stand a chance... And learning the necessary skills involve a significantly steep curve.

Sounds like a business opportunity to me. But I think it bears keeping in mind the NSA vs black hat is that they have physical resources, and the legal tools to get what they want. Maybe their legal/accounting teams are the same level of awesome?

People are using encrypted telnet in 2014? This would have been unthinkable to me years ago but now...

The big thing this story brings to light is the level of competence the NSA is bringing to this. The old hacker assumption that the government is a bunch of old-technology Luddites is one that needs to go away quick.

They're using SSH, but it doesn't matter because the NSA included weaknesses into the encryption standard to allow them access. I've been saying since the beginning. SELinux didn't come without a price.

This is why you don't use "default" modes... And why it's hard for average users, which shouldn't be the case. Security needs to NOT be an uphill technical battle for users. How many Mint Linux users know how to check their shadow passwords to see if it is set for SHA-512?

As techies we should all be better than this in our making of tools. Grandma shouldn't have to learn rocket science in order to get on the web and see videos of her grandchildren without having her computer compromised and her pension bank accounts stolen.

Most people get on the road without having an accident every day. But opening the wrong email can put your average person at serious financial risk. I think those of us whom herald computer "science" can come up with a better way, and we need to.

People are using encrypted telnet in 2014? This would have been unthinkable to me years ago but now...

The big thing this story brings to light is the level of competence the NSA is bringing to this. The old hacker assumption that the government is a bunch of old-technology Luddites is one that needs to go away quick.

They're using SSH, but it doesn't matter because the NSA included weaknesses into the encryption standard to allow them access. I've been saying since the beginning. SELinux didn't come without a price.

They included a weakness in the weakest encryption standard. There are actuallly proven strong encryption standards.

Security isn't easy it takes effort most people are just lazy. If security was easy everyone would be secure, we woudln't have credits cards being stolen from Target, and people like Snowden woudln't exist.

I know that. Where did I say I got hacked by NSA. We are a small defense contractor. If they wanted something from us they could just ASK and we'd probably give it to them.

This is Russian mafia from the looks of it. Semi random attack. Fax for %first name %last name company %company_name Still we appear to be important enough to gather that info in the first place and then blast it out to two people who could do most damage if their PCs are infected.

If the subhuman trash at the NSA ask you for anything, the correct answer is, "Burn in hell! Give me a court order or go home."

Working with the NSA is treason, not just against the United States but against all of humanity. People who fly planes into buildings are just criminals. The NSA are the real terrorists.

If you spend enough time perusing the Internet for helpful information on how to build a botnet or hack an online game, you’ll inevitably end up on a discussion board site filled with posts from various hackers eager to share that knowledge and build up their street cred. But even if you use Tor to explore the “dark Web” for such boards, you’ll never reach the 1337est board of them all—the discussion board hosted on the National Security Agency’s NSAnet.

People are using encrypted telnet in 2014? This would have been unthinkable to me years ago but now...

The big thing this story brings to light is the level of competence the NSA is bringing to this. The old hacker assumption that the government is a bunch of old-technology Luddites is one that needs to go away quick.

Yeah, right. That is why the Veteran's Administration is so efficient. The people get the Luddites and the power gets the hackers.

Sean Gallagher / Sean is Ars Technica's IT Editor. A former Navy officer, systems administrator, and network systems integrator with 20 years of IT journalism experience, he lives and works in Baltimore, Maryland.